On Sun, Dec 13, 2009 at 12:14:10AM +0100, Hilmar Preusse wrote:
> Will try building and running ghostscript 8.64 with pbuilder inside > the lenny chroot next time.8.64 inside lenny chroot does not exhibit the bug, so it's 8.62-specific.8.64 (and greater) is meanwhile in testing. In theory we could close the bug. On the other hand dvipdft is not expected to crash, one could assume this to be an security issue.
It still occurs for me on lenny (8.62.dfsg.1-3.2lenny1), so it's at least a regular bug and I tend to agree on the potential for a security issue. It's quite likely there are automated systems (print servers come to my mind) processing user-provided postscript content with ghostscript. Unfortunately I'm busy with my diploma thesis so cannot investigate whether there might be any attack vector (DoS only probably - floating point exception doesn't sound like code execution is possible).What do you think?
Whatever you decide, it would be nice to get a fixed package for lenny, be it a regular bug fix update, a security update or "just" a backport.
CU Sascha -- http://sascha.silbe.org/ http://www.infra-silbe.de/
Attachment:
signature.asc
Description: Digital signature